CVE-2025-24023

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-03 16:15

Updated : 2025-03-07 21:44

NVD link : CVE-2025-24023

Mitre link : CVE-2025-24023

CVE.ORG link : CVE-2025-24023

JSON object : View

Products Affected

dpgaspar

flask-appbuilder

CWE

CWE-204

Observable Response Discrepancy

CWE-203

Observable Discrepancy

{"id": "CVE-2025-24023", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-03-03T16:15:41.820", "references": [{"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-204"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3."}, {"lang": "es", "value": "Flask-AppBuilder es un framework de desarrollo de aplicaciones. Antes de la versi\u00f3n 4.5.3, Flask-AppBuilder permite a los usuarios no autenticados enumerar nombres de usuario existentes cronometrando el tiempo de respuesta del servidor cuando se fuerzan solicitudes de inicio de sesi\u00f3n. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 4.5.3."}], "lastModified": "2025-03-07T21:44:56.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dpgaspar:flask-appbuilder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF28CA72-015B-43B1-A97C-02EA08C00137", "versionEndExcluding": "4.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}